California Leads the Way on IoT Cybersecurity, Bans Default Passwords

California’s new IoT cybersecurity law takes aim at smart device manufactures that expose their customers to unnecessary cybersecurity risks.

With the Internet of Things (IoT) projected to reach up to $457 billion in value by 2020, there’s never been a better time for businesses to invest in this cutting-edge technology — and networks that can support it. Before harnessing the IoT’s transformational potential, however, it’s important for consumers, business leaders, and lawmakers to work together to ensure that these systems protect private and public assets.

Enter California’s new IoT cybersecurity law, SB-327. Recently signed by Governor Jerry Brown, the law is the first in the country to regulate smart device manufacturers with specific cybersecurity standards. While the legislation isn’t without its critics, it’s widely regarded as a promising first step toward the regulation of products that are increasingly shaping the way we live, communicate, and do business.

Understanding SB-327

In the past, manufacturers have been allowed to sell smart devices with default, generic passwords. (Think “0000.”) While this practice helps customers get their purchases up and running right out of the box, it also means that hackers can easily guess those devices' default passwords, and use them as a sort of backdoor into networks where they can do real damage.

SB-327 wants to change that. Starting on January 1, 2020, California will require that smart device manufacturers equip products with “a reasonable security feature or features that are appropriate to the nature and function of the device.” Specifically, this means that manufacturers will need to include unique passwords for each device, or prompt users to create their own passwords before connecting devices to their network.

While the legislation may seem specific, the need for regulation is clear. The Mirai attack of 2016 compromised hundreds of thousands of smart devices, using them to temporarily knock out sites like Twitter and Netflix. By making it more difficult for hackers to access IoT-enabled devices, California’s state government hopes to prevent these kinds of attacks in the future.

Supporters and Critics Weigh In

For some experts, SB-327 represents much-needed progress. Harvard professor Bruce Schneier, for example, thinks that the law is a step in the right direction although it doesn’t do as much as he’d like. “It probably doesn’t go far enough — but that’s no reason not to pass it,” he told The Washington Post.

For others, the new law represents the wrong kind of thinking — thinking that has to change if regulators are going to successfully protect public and private interests from cybersecurity threats. In a post on his blog Errata Security, researcher Robert Graham characterized SB-327 as “a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little [to] improve security, while doing a lot to impose costs and harm innovation.”

The pressure to get IoT cybersecurity legislation right is mounting, especially as Congress looks at its own version of SB-327. The Internet of Things Cybersecurity Improvement Act of 2017, although stalled in the Senate, would similarly ban default passwords and require manufacturers to protect devices from known online threats.

What This Means for Your Business

While state and federal legislators consider how best to regulate smart device manufacturers, businesses should weigh how the IoT fits into their short- and long-term plans. For many companies, that means investing strategically in this emerging field. Indeed, reports indicate that corporate investment in the IoT will surge by $15 trillion between now and 2025.

In order to reap the benefits of IoT capabilities, however, businesses need to be sure that their networks have the bandwidth to support data-intensive applications. This involves integrating smart devices — and multi-endpoint IoT systems especially — fully into your company’s IT infrastructure. By designing networks that can support current needs while allowing for the exponential growth of IoT capabilities in the future, you can get your team ahead of the curve.

However you plan to incorporate the IoT into your operations, business security should be top of mind. By partnering with a cybersecurity expert like Turn-key Technologies (TTI), you can set your company up for sustainable growth with security protocols that keep pace with your success.

At TTI, we’ve spent nearly thirty years developing high-growth networks that are as secure as they are dependable. Whether you’re looking for targeted IoT-related security solutions or a larger overhaul of your network, our team has the experience you need to protect your company against today’s wide-ranging cybersecurity threats.